Changing the SSH Port for IPTables
When I installed my own web server, I also did my best to ensure it was secure. I installed OpenSSH. I required a RSA key to access it remotely and removed the ability to access it remotely with just a password. And even if you could get to it physically, the password was quite long (though if you could get to it remotely, I have greater worries than just accessing the site). It wasn't that I was worried about the site itself. There's nothing sensitive here. But I didn't want my little server to serve someone else's nefarious purposes.
As part of my efforts, I wanted to change the default port through which SSH accessed the server. For a server running Ubuntu, this is a two step process. First step is to change the port setting in the /etc/ssh/sshd_config file. The second step is to change the iptables file.
First, let's change the port setting in the sshd_config file. I was already logged in (using SSH under the default port, which is port 22). I issued the following command:
That opened the text editor. Then I looked for the following line (which is shown in bold font below):
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
I changed this from the default port 22 to 2022, as shown below (again with bold font):
Port 2022
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
I'm not going to re-start the SSH server yet! The reason is that, if I lose my connection and try to get back in, I won't be able to because I've not changed the iptables file yet. I saved the file and exited the text editor.
The next step was the change the iptables. The problem here is that iptables is not a simple text file that can be changed. This is a bit more complicated. Still, it's straightforward. Start this step by saving the iptables as a text file. To do so, issue the following command:
What that command does is to create a text file that you can edit, then use that to set the desired port. Now we're ready to edit the text file. Issue the following command to open it using the "nano" text editor:
With the text editor open, look for a line (highlighted in bold font below) that has "SSH" in it. Note that this is only a small portion of the total file:
-A net2fw -p tcp -m tcp --dport 80 -m comment --comment "HTTP" -j ACCEPT
-A net2fw -p tcp -m tcp --dport 22 -m comment --comment "SSH" -j ACCEPT
-A net2fw -j Drop
Now, change the "22" into the new port number, which in my case is "2022", as shown below:
-A net2fw -p tcp -m tcp --dport 80 -m comment --comment "HTTP" -j ACCEPT
-A net2fw -p tcp -m tcp --dport 2022 -m comment --comment "SSH" -j ACCEPT
-A net2fw -j Drop
Save the file and exit the editor. That part is done. Now, we need to make it so that iptables uses this new rule when it starts up. To do so, we're going to make a change to our interfaces configuration file. To do that, we need to do the following:
This opens the interfaces configuration file. Mine appeared as follows:
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto eth0
iface eth0 inet static
address 192.168.1.200
netmask 255.255.255.0
gateway 192.168.1.1
All I need to do now is to add one line to the end of this file, as shown below (with the appropriate line highlighted in bold font):
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto eth0
iface eth0 inet static
address 192.168.1.200
netmask 255.255.255.0
gateway 192.168.1.1
pre-up iptables-restore < /etc/iptables.rules
Finish this up by saving the file and exiting the text editor. All that's left to do (and cross your fingers) is to try this out. You can either restart both the SSH server and reload the iptables settings, or you can just re-boot the server. Your choice. I'm going to do both here. To restart both the SSH server and the iptables, I issued the following commands:
sudo iptables-restore < /etc/iptables.rules
When I exited the remote connection, I tried to get back in by issuing the appropriate SSH command (NOTE: I'm on the local network.):
It worked! Okay, now to give it the ultimate test. Time to re-boot the server:
As soon as I issued the command, I was kicked off my remote connection. No worries. I waited 30 seconds and retried the connection. Again, it worked.
While I was figuring this out, I noted a lot of people with problems related to SSH and changing the ports. If you are trying to log in and receive a "connection refused" error message, that tells you that iptables is not the problem. At least, not yet. A "connection refused" message means that you're not using the port number that is the sshd_config file. However, if you instead try to log in and wait... and wait... and wait, then get a "connection timed out" error message, the problem is somewhere else. I'd suspect the iptables. The reason I got the "connection timed out" error was that iptables was not set up to allow the connection to this strange port number. Its rules were set up to simply drop such connection requests without telling the requester why. That's the best security. It's not in the rules, so sorry. Just drop it. Once I figured out that iptables was the problem, I took the steps outlined above and fixed the problem. If you're having problems with SSH, add the "-v" option so that it will give you an idea of what might be happening. The command will look like this:
There you are. I hope this helps someone.